A taste of our own medicine : How SmokeLoader is deceiving configuration extraction by using binary code as bait
A taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary code as bait
Recently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring under scrutiny , as my monitoring script found it hard to locate a live c2 . Then suddenly something strange I noticed on the dashboard , the output c2’s from the configuration extraction script and the generated pcap were different
Output From config extraction
Pcap generated output
Notice the subtle difference between two outputs ?
A configuration extraction script is essentially an instrumenting script ( using windbg or a memory acquisition tool) to extract configuration ( c2’s , keys , campaigns, etc ) from a running malware binary . It’s sole purpose is to capture a pattern in a binary to extract certain parameters...
Continue reading →